From 92c6c467e0522b6999f03701251114e65a541500 Mon Sep 17 00:00:00 2001
From: Kees Monshouwer <mind04@monshouwer.org>
Date: Mon, 12 Jun 2017 21:21:03 +0200
Subject: [PATCH] auth: make sure all qnames entering pdns via axfr are
 properly lowered

---
 pdns/lua-auth4.cc         | 2 +-
 pdns/slavecommunicator.cc | 5 +++--
 2 files changed, 4 insertions(+), 3 deletions(-)

diff --git a/pdns/lua-auth4.cc b/pdns/lua-auth4.cc
index a14c12b3fb..9995970549 100644
--- a/pdns/lua-auth4.cc
+++ b/pdns/lua-auth4.cc
@@ -251,7 +251,7 @@ bool AuthLua4::axfrfilter(const ComboAddress& remote, const DNSName& zone, const
       if (col.first == "qtype")
         rec.qtype = QType(boost::get<unsigned int>(col.second));
       else if (col.first == "qname")
-        rec.qname = DNSName(boost::get<std::string>(col.second));
+        rec.qname = DNSName(boost::get<std::string>(col.second)).makeLowerCase();
       else if (col.first == "ttl")
         rec.ttl = boost::get<unsigned int>(col.second);
       else if (col.first == "content")
diff --git a/pdns/slavecommunicator.cc b/pdns/slavecommunicator.cc
index ac676686cd..f89313d6da 100644
--- a/pdns/slavecommunicator.cc
+++ b/pdns/slavecommunicator.cc
@@ -201,7 +201,7 @@ static bool processRecordForZS(const DNSName& domain, bool& firstNSEC3, DNSResou
       throw PDNSException("Zones with a mixture of Opt-Out NSEC3 RRs and non-Opt-Out NSEC3 RRs are not supported.");
     zs.optOutFlag = ns3rc.d_flags & 1;
     if (ns3rc.d_set.count(QType::NS) && !(rr.qname==domain)) {
-      DNSName hashPart = rr.qname.makeRelative(domain).makeLowerCase();
+      DNSName hashPart = rr.qname.makeRelative(domain);
       zs.secured.insert(hashPart);
     }
     return false;
@@ -249,6 +249,7 @@ static vector<DNSResourceRecord> doAxfr(const ComboAddress& raddr, const DNSName
     }
 
     for(Resolver::res_t::iterator i=recs.begin();i!=recs.end();++i) {
+      i->qname.makeUsLowerCase();
       if(i->qtype.getCode() == QType::OPT || i->qtype.getCode() == QType::TSIG) // ignore EDNS0 & TSIG
         continue;
 
@@ -397,7 +398,7 @@ void CommunicatorClass::suck(const DNSName &domain, const string &remote)
           rrs.reserve(axfr.size());
           for(const auto& dr : axfr) {
             auto rr = DNSResourceRecord::fromWire(dr);
-            rr.qname += domain;
+            (rr.qname += domain).makeUsLowerCase();
             rr.domain_id = zs.domain_id;
             if(!processRecordForZS(domain, firstNSEC3, rr, zs))
               continue;
-- 
2.47.2